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such that a service attack on the server can be avoided when a false nonce is received by the server with an AP request message. 
Thus the server can disregard AP request messages that are not accompanied by a nonce stored by the server. The method can be 
implemented through circuitry, electrical signals and code to accomplish the acts described in the method. 
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INTERNET PROTOCOL TELEPHONY SECURITY 
ARCHTTECTURE 

This application claims priority ftom co-pendiag PCX Application No. 

5 PCTAJSOO/09318 ffled on April 7, 2000 entitled, "Built-in Manufacturer's Certificates for 
a Cable Telq)hony Adqrter to Provide Device and Service Certification," vMch claims 
priority fiom U.S. Application No. 60/128,772 entitled, "Internet Protocol Telephony 
Secxmty Architecture" jSIed on April 9, 1999, as well as PCT Application No. 
PCT/USOO/02174 filed on January 28, 2000 entitled **Key Management for Telephone 

1 0 Calls to Protect Signaling and Call Packets Between CTA's," all of vMch are hereby 
incorporated by reference foe all that they disclose and for all purposes. 

BACKGROUND 

This invCTtion relates generally to network security, and more particularly, 

15 to a systmi for providing key naanagement between a server and a client, e.g., in a 
telephony or an IP telephony network. 

In networks that are based on a client/server configuration, there is a need 
to establish a secure chaimel between the server and the clients. In addition, in networks 
that irtUize a third party to certify a trust relationship, there is a need to pro\^^ 

20 efficient mechanism that allows a key management message to be initiated by the server. 
In sudi networics that utilize a trusted third party for the server and cli^t, the cli ent can 
typically request an encrypted auflientication token fi»m the trusted third party that can be 
used to initiate key manag ement wifli fiie specified server; however, the server will 
typically initiate the key management session directly with the client It is less preferable 

25 for the server to obtain fit>m the trusted third party encrypted authentication tokens for 
each of the clients. Such an approach would add overhead to a servor, requiring it to 
rnairitain cryptographic state for each of the cliaits. If sudiaserver wexeto &il, abackiq) 
' server would be required to xrndergo a recovery procedure in which it has to obtain new 
authentication tokens for each of the clients. The clients need to be initializsed during 

3 0 their provisioning phase to allow than to successfiiUy authenticate to a trusted third party 
and obtain the encrypted authentication tokens. One proposed method for cUent 
initialization is disclosed in PCT Application No. PCTAJSOO/093 18 entitled "BUILT-IN 
MANtlFACTURER'S CERTEFICATES FOR A CABLE TELEPHONY ADAPTER TO 
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' PROVIDE DEVICE AND SERVICE CERHFICAHON." Nevertheless, a need existe to 
provide an e£Bcient mechanism tfaicugh vMch the server can inidale the key management 
session with the client, as opposed to a system in which only the client can mitiate such a 
session. 

5 One such client/server network is the client/server network that exists in IP 

telqphony . In IP telephony systems, a cable telephony ad^ter (CTA) device can be used 
to allow a user to send and receive mformation in secure transactions over an DP 
tel^hony network. In typical operation, a series of signaling messages are exchanged 
that register the CTA device with the IP telephony networic before a secure channel witih 

'6 another user can be established. Therefore, the CTA device needs io he airfhenticated by 
the DP telephony system. Otherwise, the process would be open to denial of service 
attacks — since some provisioning exchanges can be forged. In addition, it is desirable 
for the service provider to identify the CTA device — to make sure that only authorized 
devices are allowed in its IP Telephony network. 

15 

SUMMARY OF THE INVENTION 
One embodiment of the invention comprises a system for providing key 
management in a client/server network. This embodiment of the invention utilizes a 
method to provide key management by providing a server, providing a client configured 
20 to be coupled to the server; providing a trusted third party configured to be coiq)led to the 
client; and allowing the server to initiate the key management session with the client 

One embodiment is operable as a method to generate a trigger message at 
the server, generate a nonce at the server; and, convey the trigger message and the nonce 
totheclieoL At the client, the client receives the trigger message and the nonce and 
25 respondsby conveying a response message with a return nonce. The server can then 
determine that the response message is valid by comparing the values of the 
retmn^jcbonce andthe nonce that was gmerated by the server. 

In addition, one embodiment can be implemented in code and by circuitry 
operable to produce the acts of the me&od. 
30 A finiher imderstanding of the nature of the inventions disclosed herein 

" wUl be realized by reference to the rerriaiiiiiig portions ofthe specification and the 
attached drawings. 



wo 02/25899 



PCT/DSOl/29654 



BMEF DKCWnON OF THE DRAWINGS 
FIG. I shows a flow chart demonstrating an overview of one embodiment 
of the invention. 

FIGS. 2A and 2B show a more detailed flow chart demonstrating a key 
S management session between a server and a client 

FIG. 3 shows steps of a key management session after the key 
management session is initiated. 

FIG. 4 shows a general block diagram of a client/servei/trusted third party 

network. 

10 FIG. 5 shows a block diagram of an IP telephony network in ^iiich a cable 

telephony adapter, a signaling controller, and a key distribution center are coupled with 
one another. 

FIG. 6 shows the unplementadon of tiie data structures for establishing a 
key management session as implemented by one embodiment of the invention. 

15 

DESCRIPTION OF THE SPECIFIC EMBODIMENTS 
FIG. 1 shows a flow chart demonstrating an overview of one embodiment 
of tiie invention. In flow chart 100, a server is provided 104 and a client coiipled to the 
server is also provided 108. A trusted third party for the server and the client is provided 
20 112 and the server is aUowed to initiate a key management session wifli the client by 
* utilizLng a nonce 116. " " 

It should be understood fliat a server is a shared conq>uter on a network, 
such as a signaling controller used in an IP telephony network Furthermore, it should be 
understood that a client is a computer or device served by another network confuting 
25 device, sudi as a cable telephony adapter (cli^t) being served by a signaling controller 
(serv^) via an IP telephony system. In addition, it should be understood that a trusted 
third party for the server and the client is a device or conq)uter utilized by at least two 
parties that facilitates cryptographic processes such as certifying the identity of one of the 
two parties to the other. FiiiaUy, it shoiild be understood tiiat a nonce is a number 
30 generated tiiat is utilized only once. The use of a nonce helps to prevent an attacker from 
implemrating a replay attack. Such a nonce can be generated randomly. 

The method of FIG. 1 can be better understood by reference to FIG. 2A 
and FIG. 2B. In flie method designated 200 in FIG. 2 A and FIG. 2B, a server such as a 
signaling controll^ in an IP telephony system is provided 204. In addition, a client such 
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as a cable telephony Bdsp\sr in an IP telq)hony system is also provided 208. A trusted 
fliird party for the client and s^er, sudi as a key distribution center in an IP telephony 
system, is provided 212, as well. The servCT, client, and trusted third party are coiQ)led to 
one another. Typically, the client initiates key management sessions with the server. 
5 However, there will be times ^en the server will need to initiate a key management 
session with the client Rather than authenticating the trigger message (e.g. with a digital 
signature and certificate), tfie invention can utilize a nonce in the authratication of the 
subsequent AP Request message fix)m the client This embodim^ of the invention does 
not prevent an adversary (impersonadng a legitimate server) from sending an illicit 
10 trigger message to the client and fboling it into responding with an AP Request Instead it 
provides that such an AP Request wiU be rejected by the legitLrnate server. This 
mechanism is designed to reduce the server's overhead of mitiating key management 
exchanges with its clients, \s4ule still maintaining suflScient security. Thus, in 216 a 
trigger message is generated at &e server to iiiitiate a key maiiagementsessiorL Then, a 
1 5 nonce is generated at the server 220 and the nonce and trigger message are coupled 

together and conveyed to the client 224. The client receives the trigger message and the 
nonce 228. Then the client designates the nonce as a retumed_nonce 232. In this way, 
theclientcanretumtherecdvednonce to the server for verification that the message is - 
fix)m the client In 236, a second nonce is generated at the client The second nonce is for 
20 use by the servo: and client as part of the key management session being initiated The 
client generates a response message to the trigger message that was received from the 
server 240. Then the response message, the retumed_nonce, and the second nonce are 
conveyed to the server 244; 

At the server, the value of the ietumed_nonce is conq)ared to the value of 
25 the nonce ^?stoch was gmerated at tiae server. Ifthe values of the retumedjaonce and the 
nonce stored at the server are equivalent, the key management session can proceed. 
However, if the value of the Tetumed_nonce does not equal the value of the nonce stored 
at tihte server then a d^ennination is made that the retumed_nonce is actually a felse 
nonce 252. In such a case there is a possiWlityiat the signal has been corrupted; or, 
30 there is a possibihty that an attacker is tryiiig to iiiitiate a service attack. Inaservice 
attack, the attacker tries to fraudulently initiate a rekeying session in order to cause the 
server to utilize processor cycles which prevent the processor firom u tiliz i Tig tiiose cycles 
for otiier operations. Thus the server would become less effective under such an attack 
than it would be under normal conditions. By rq)eating such an attack, an attacker can 
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prevent the server fiom operadng efficiently and thus can compromise the operadoa of 
the client server network, such as an IP telephony network. If the retumed_jionce is 
determined to be not eqiuval^ to the value of the nonce stored at the server, the response 
message sent with the retunied_nonce is disregarded as being unaufhenticated 256. 

5 However, if the retumed__nonce does equal the value of tiie nonce stored at the server, 
then the key managemrat session contiiiues 260. 

FIG. 3 shows additional stqps in a typical key management session as 
highlighted by block 260 in FIG. 2B. In FIG. 3, method 300 shows that an application 
(AP) REPLY is generated 364 by the server. Hie AP REPLY is conveyed to the client 

10 withtiiesecondnoncethat was generated by the client 368. The AP Request is an 

abbreviation for Application Request and AP Reply stands for Application Reply. For 
example, these two messages can be specified by the Kerberos Key Management standard 
(see IETF RFC 1510). As a furflier example, in the context of Kerberos, the second 
notice can be the client's time expressed in microseconds. When the AP REPLY and 

1 5 second nonce are received at the client, the client transmits a security association (S A) 
recovered message to the server 372. This completes the applicable Kerberos key 
management session. 

FIG. 4 shows a block diagram of a client/server/trusted third party 
networic A chent 401 is coupled with a server 402. In addition, the client is coupled 

20 with a trusted third party 404. The trusted third party is also coi5)led with the server 402. 
FIG. 4 thus' demonstrates the network within vMdx one embodiment of flie inVeiitidn can 
be implemented. 

In FIG. 5 an IP telephony network implementing one embodiment of the 
invention is demonstrated. A cli^t such as a cable telephony ad^ter 501 is coupled with 

25 a servCT, such as signaling controller 502. Furthermore, the cable telephony adq)ter and 
signaling controller are also coupled to a trusted third party, illustrated as key distribution 
center 504. Furthermore the signaling controller is coupled with the IP telephony 
network508. Such a network as that iUustrated in HG. 5 would be useftd for establish 
an IP telq)hony call from a user vAio is coupled to the cable telephony adapter tiirough 

30 the IP telephony network 508 to another user connected to a similar network. Thus the 
user can be authenticated as the calling party through the cable telq)hoay adapter and 
signaling controller when the call is placed across the IP telephony network. Furtiier 
details of such a network are illustrated in the references vMck were incorporated by 
reference. 
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FIG. 6 illustrates data structures for implementing a Keiberos key 
management session initiated by a server in a client/s^er networic In FIG. 6 a nonce 
nimiber 1 is coupled with an initiation signal such as a trigger or wakeup message and flie 
combined message is transmitted ao^oss an iiiterfece 601 to the client The client stores 

S nonce number 1. It then adds nonce number 2 and an appUcation lequest in data striicture 
such as that shown in FIG. 6. This set of data is then transmitted across the inter&ce back 
to the server. The server compares the value of received nonce number 1 with the value 
of nonce number I stored at the server so as to confirm the authenticity oftheAP 
Request Upon authenticating the AP Request, the server generates an AP Reply and 

1 0 couples it with nonce number 2 which was generated by the client The combined nonce 
number 2 and AP Reply are then transmitted across the interface to the client The cUerit 
is able to verify the authenticity of the AP Reply by comparing the value of nonce number 
2 received from the server with the value of nonce nimiber 2 stored at the client Upon 
authenticating the AP Reply, the client generates a Security Association (S A) recovered 

15 message and traosmits that across the interfece to the servo:. This Kerberos-based key 
management protocol is thereby implemented in an efficient way and furthermore allows 
the server to initiate tfie key management session with the use of only an additional nonce 
as overhead to the initiation message. Thusthemethodishighly efiScientintfiatonly a 
nonce need be used in the authentication process of the initiation message. 

20 In addition to embodiments where the invention is accomplished by 

hardware, it is also noted that embodiments can be accomplished through the use of 
an article of manufacture comprised of a computer usable medium having a computer 
readable program code ^bodied flierein, *^ch causes the enablement of the functions 
and/or Mrrication of the hardware disclosed in this spedficatiorL For exaiiq)le, this might 

25 be accomplished through 'the use of hardware description language (HDL), register 
transfer language (RTL), VERILOG, VHDL, or similar progranmimg tools, as one of 
ordinary skill in the art would understand. Thebook**AVerilogHDLPrimer"by J. 
Bhasker, Star Galaxy Pr., 1997 provides greater detail on Verilog and HDL and is hereby 
incorporated by reference for all tfiat it discloses for all purposes. It is therefore 

30 envisioned that the functions accomplished by the present invention as described above 
could be represented in a core wbidi could be utilized in progr amming code and 
transformed to hardware as part of the production of integrated drcmts. Therefore, it is 
desired that the embodimmts expressed above also be considered protected by this patent 
in their program code means as welL 



wo 02/25899 



PCTAJSOl/29654 



ItisnotedtlmtembcKlimentsoftheinveixtioncanl^ accomplished by use 
of an electrical signal, such as a con^uter data signal embodied in a carrier wave, to 
convey file pertinent signals to a receiver. Thus, i^ere code is illustrated as stored on a 
computer medium, it should also be understood to be conveyable as an electrical signal. 

5 Similarly, where a data structure is illustrated for a message, it should be imderstood to 
also be capable of being embodied in an electrical signal for transmission ao^oss a 
medium, such as the intemet 

It is also noted that many of the structures and acts recited h^in can be 
recited as means for performing a function or steps for performing a function, 

1 0 respectively. Therefore, it should be uiaderstood that such language is entitled to cover all 
such structures or acts disclosed within this specification and their equivalents, including 
the matter incorporated by reference. 

It is thought that the ^paratuses and methods of the embodiments of the 
present invention and many of its attendant advantages will be understood from this 

IS specification and it will be ^parent ihst various changes may be made in the form, 

construction and arrangement of the parts thereof without departing firom the spirit and 
scope of the invention or sacrificing all of its material advantages, the form herein before 
described being merely exemplary embodiments thereof. 



7 



wo 02/25899 



PCTAJSOl/29654 



WHAT IS CLAIMED IS: 

1 1 . A method of providiDg key management conqjiising: 

2 providing a server; 

3 providing a client configured to be co\q)Ied to said server; 

4 providing a trusted third party configured to be coupled to said client; 

5 allowii^ said serv^ to initiate a key managem^t session with said client 

1 2. TTie method as described in claim 1 \^dierein said allowing said server to initiate 

2 said key management session with said client comprises: 

3 generating a trigger message at said server, 

4 generatmg a nonce at said server; 

5 conveying said triggCT message and said nonce to said client 

1 3. The method as described in claim 2 and fiirther comprising: 

2 receiving said trigger message and said nonce at said client; 

3 generating a response message to said trigger message; 

4 conveying said response message aiKi a retumed_nonce to said server. 

1 4, The method as described in claim 3 and fiirther comprising: 

2 predeterrnining an out-of-bounds value for said nonce to prevent an attacker &om 

3 simulating a client initiated key management session; 

4 checking smd^nonce to determine whether the value of said nonce is said out-of- ^ 

5 bomids value. 

1 5. Tlieiriethod as described in claim 3 and fiirther comprising: 

2 confirming the value of said retumed_nonce at said server; and 

3 conveying a reply message fix>m said client to said server. 

1 6. The mefliod as described in claim 1 and fiirflier comprising: 

2 receiving firom said client a response message and a felsejaonce at said sctvct; 

3 determining tiiat said fidsejoonce is fidse; 

4 disregarding said client response message. 

17. A method of providing key management in a Kerberos based system, said method 

2 comprising: 

3 providing a server; 
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4 * providing a client configured to be coiq>Ied to said server; 

5 providing a key distribution center configured to act as a trusted third j^rty for 

6 said client and said server, 

7 initiating a key nianagement session by said server with said client 

1 8. The method as described in claim 7 and further conqirising: 

2 gmerating a trigger message at said server; 

3 g^erating a nonce at said server; 

4 conveying said trigger message and said nonce to said client 

1 9. The method as described in claim 8 and further comprising: 

2 receiving said trigger message and said nonce at said client; 

3 generating a response message to said trigger message; 

4 conveying said response message and a retumed_nonce to said server. 

1 10. The method as described in claim 9 and further comprisiag: 

2 confirming the value of said returned jaonce at said server; and then 

3 continuing with said key management session. 

1 11. The method as described in claim 7 and fiirther comprising: 

2 receiving at said server a response message and a falsejaonce fix)m said client; 

3 deterniining that said Msejuonce does not match said nonce; 

4 deterrnirdng that said server did not initiate said key management session. 

1 12. A method of initiating a key inaziagement session for a cable telephoiQrad£q)ter 

2 (CTA. and a Signaling Controller m an IP Telephony network, the method comprising: 

3 providing said Signalii^ Controller, 

4 providing said CTA configured to be coupled to said Signaling Controller; 

5 providing a key distribution center (KDC; 

6 generating a trigger message at said Signaling ControUa:; 

7 generating a nonce at said Signaling Controller, 

8 cot^ling said nonce with said trigger message; 

9 transmitting said nonce coiq)led with said trigger message to said CTA; 

10 generating a response message to said trigger message; 

11 using the value of said nonce as the value of a returned jaonce; 

12 coupling said response message with said retumed_nonce; 

9 
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13 transmitting said retumedjaonce and said response message to said Signaling 

14 Controller, 

15 comparing said retumedjionce to said nonce; 

16 transmitting an AP reply in reply to said response message; 

1 7 transmitting an S A recovered message to said Signalling Controller. 

1 13. A method of conveying a key fix)m a server to a client, comprising: 

2 . generating a wakecQ) message at said server; 

3 generating a server_nonce at said server, 

4 V conveying said wakeiqj message and said nonce to said client; • ^ - 

5 generating an AP request message at said client; 

6 conveying a client jionce and said AP request message to said server, 

7 confirming Aat said client_nonce conveyed with said AP request message 

8 matches said serverjaonce generated at said server; 

1 14. A mediod of confirming that a message received by a server fi-om a dient was 

2 triggered by flie server 

3 receiving an AP request message from said client; 

4 receiving a client_jionce fix)m said client wherein said client_nonce is associated 

5 with said AP request 

6 determining whether said cUent_nonce matches a nonce conveyed &om said 
server. 

1 15. Tie method as described in claim 14 and further comprisiiig: 

2 determining that said client_nonce does not matdi said nonce conveyed firom said 

3 server, and 

4 disregarding said AP request 

1 16. The method as described in claim 15 and finrSiet comprising: 

2 awaiting at said client for a reply firom said server to said AP request; ^ v,^^ w.ix, , 

3 aborting said AP request session after a predetemuned time period if no reply is 

4 received &om said server. 

1 17. The method as described in claim 14 and finr&er comprising: 

2 determining that said client jaonce does match said nonce conveyed firom said 

3 server, and 

10 
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4 generatiDg an AP reply at said servor to said AP request 

1 18. A system for providiQg key management in a Kerberos based system 

2 comprising: 

3 a server; 

4 a client configured to be coupled to said server, 

5 a key distribution center configured to act as a trusted third party for said client 

6 and said server; 

7 computer code coupled to said server operable to initiate a key management 

8 session by said server with said client 

1 19. The system as described in claim 18 AA^erein said computer code operable to 

2 ioitiate a key management session comprises computer code operable to g^erate a trigger 

3 message at said server; and fiirther comprising: 

4 computer code coupled to said server operable to generate a nonce at said server; 

5 computer code coupled to said server operable to convey said trigger message and said 

6 nonce to said client 

1 20. Tbe system as described in claim 19 and fiirther comprising: 

2 computer code coupled to said cUent operable to generate a response message to 

3 said trigger message; 

4 computer code coiq)led to said client operable to convey said response message • » ^vn s 

5 and a retumed_nonce to said server. 

1 21 . The system as described in claim 20 and fiirther comprising: 

2 computer code coupled to said server operable to confirm the value of said 

3 retumedjaonce at said server. 
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